kezhuw commented on PR #2209: URL: https://github.com/apache/zookeeper/pull/2209#issuecomment-2466111427
> With the suggested change, both zcert.certstr and zcert.ca will point to 'server.crt', as follows, Does it matter if we never use `certstr` as `const char*` ? The problem of current aproach is that it will **corrupt program only after zookeeper_close** with cert str ",,,/tmp/certs/server.crt,/tmp/certs/client.crt,/tmp/certs/clientkey.pem,password"(be aware of the leading ",") as `ca` will point to address not from `malloc`. My best wish is crash. I think there are several ways to fix this: 1. `zcert.ca = strtok(zcert.certstr, ",");` 2. Enforce strong checking against input `certstr` and use only `ca`. 3. Enforce strong checking against input `certstr` and use both `certstr` and `ca`. I prefer to the first as it demands no api semantic changes. > I strongly recommend keeping the existing implementation to store the original SSL parameters. If you are going to this approach, please ensure `ca` pointing to address from `malloc`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
